topic Re: How to create privilege AAA for username in Network Access Control

How to create privilege AAA for username

fchew — Fri, 21 Feb 2020 18:04:48 GMT

I do not have any ACS server but would like to create 3 usernames for access to certain list of IOS commands in CISCO IOS ver 12.0 using AAA-model. I tried using CISCO search engine but without much success. Appreciate any available tips to help me to configure 3 different users with different privilege in the router.

username xxxxx password xxxx privilege 5

In addition, is there any means in the IOS to facilitate changing of password upon logging into the router ?

Thanks/Francis

Re: How to create privilege AAA for username

Nairi Adamian — Wed, 30 Oct 2002 12:02:10 GMT

The following URL includes the information you need regarding the privilege levels:

http://www.cisco.com/en/US/customer/tech/tk648/tk367/technologies_tech_note09186a008009465c.shtml

hope this helps,

-Nairi

Re: How to create privilege AAA for username

4brown — Wed, 30 Oct 2002 13:18:36 GMT

Here is an example of using 3 separate levels, MAKE sure you create the usernames first. I like to disable AAA on the console port also, since this is an element of physical security in most cases. If someone has physical access, they can still do a password recovery but this depends on your security requirements.

You must first log out, and then log back into the router following the inclusion of the aaa authorization commands 15 local if-authenticated command.

Syntax may vary somewhat on the AAA commands depending on your version.

username rtr_low privilege 1 password xxxxxxx

username rtr_med privilege 7 password xxxxxxx

username rtr_super privilege 15 password xxxxxx

aaa new-model

aaa authentication login default local enable

aaa authentication login NO_AUTHEN none

aaa authorization exec default local if-authenticated

aaa authorization exec NO_AUTHOR none

aaa authorization commands 15 NO_AUTHOR none

aaa authorization commands 1 local if-authenticated

aaa authorization commands 5 local if-authenticated

aaa authorization commands 15 local if-authenticated

line con 0

authorization commands 15 NO_AUTHOR

authorization exec NO_AUTHOR

Now you have created 3 sets of command authorization for all users. If you notice, priv 15 users will be taken into priv level 15 automatically without having to enable. This is part of EXEC authorization.

Privilege level 1 and 15 commands are already configured in IOS. You will have to set the level of commands for privilege 5 yourself with this command:

privilege-exec level 5

So to change the level of "sh run" from 15 to 5:

privilege-exec level 5 show running config

Use this to custom configure any of your other commands depending on your requirements.

Hope this helps...

Re: How to create privilege AAA for username

fchew — Mon, 04 Nov 2002 11:12:37 GMT

Thanks for the good tips & it works great..Again, many thanks../Francis